CISA
The IS audit professional should disclose what 3 things in the report of materiality: 1. 2. 3.
1. Absence of controls of ineffective controls 2. Significance of the control deficiency 3. Probability of these weaknesses resulting in a significant deficiency or material weakness
When using the work of other experts: The audit and assurance processional shall... 1. Access and approve.. 2. Review and evaluate.. 3. Determine if others work.. 4. Dtermine if the work will.. 5. Apply additional.. 6. Provide..
1. Assess and approve other expert's professional qualifications, competencies, relevant experience, and independence and quality control processes prior to the engagement 2. review and evaluate the work of the experts as part of the engagement, and document the conclusion on the extent of use and reliance on their work 3. determine if others work, who are not apart of the engagement team, is complete and conclude on the current engagement objectives, and clearly document the conclusion. 4. determine if the work will be relied on and incorporated directed or referred to separately in the report 5. apply additional tests procedures to gain sufficient and appropriate evidence in circumstances where the work of there does not provide sufficient and appropriate evidence 6. provide an appropriate audit opinion or conclusion and include any scope limitation where required evidence is not obtained through additional test procedures
What is comprised in the "General" group of IS Auditing? 1. A 2. O 3. P 4. R 5. D 6. P 7. A 8. C
1. Audit Charter 2. Organizational Independence 3. Professional Independence 4. Reasonable Expectation 5. Due Professional Care 6. Proficiency 7. Assertions 8. Criteria
IS audit can functional as 3 different roles
1. Be apart of an internal audit 2. Function as an independent group 3. Integrated within a financial and operational audit to provide IT-related control assurance to the financial or management auditors
Performance and Supervision: The IS audit and assurance professional shall.. 1. Conduct... 2. Provide... 3. Accept... 4. Obtain...
1. Conduct the work in accordance with the approved IS audit plan to over identified risk and within the agreed on schedule 2. provide supervision of the stuff to accomplish the objectives and meet applicable standards 3. accept tasks that are within their knowledge and skills or for which they have reasonable expectation of either acquiring the skills during the engagement or achieving the task under supervision 4. obtain sufficient and appropriate evidence to achieve the audit objectives. Findings and conclusions shall be supported by analysis and interpretation of the evidence
For "irregularity and illegal acts".. the IS audit and assurance professional shall.. 1. 2. 3.
1. Consider the risk of irregularities and illegal acts during the engagement 2. Maintain an attitude of professional skepticism during the engagement 3. document and communicate any material irregularities or illegal act to the appropriate party in a timely manner
5 Tasks within the domain covering the process of auditing information systems
1. Develop and implement a risk-based IT audit strategy in compliance with IT audit standards to ensure that key areas are included 2. Plan specific audits to determine whether information systems are protected, controlled and provided value to the organization 3. Conduct audits in accordance with IT audit standards to achieve planned audit objectives 4. Report audit findings and make recommendations to key stakeholders to communicate results and effect change when necessary 5. Conduct follow ups or prepare status reports to ensure that appropriate actions have been taken by management in a timely manner
What is comprised in the "Performance" group of IS Auditing? 1. 2. 3. 4. 5. 6. 7.
1. Engagement Planning 2. Risk Assessment in Planning 3. Performance and Supervision 4. Materiality 5. Evidence 6. Using the work of other experts 7. Irregularity and Illegal Acts
Index of Audit and Assurance has a framework that helps guide the "effect of non-audit role on the IS audit and Assurance professional's independent" is to enable the IS auditor to: 1. Establish.... 2. Consider... 3. Determine...
1. Establish when the required independence may be, or may appear to be, impaired 2. Consider potential alternative approaches to the audit process when the required independence is , or may appear to be, impaired 3. Determine the disclosure requirements
Evidence that professionals shall obtain.. 1. Evidence to draw ______ 2. Evidence obtained should support conclusions and ____
1. Evidence to draw reasonable conclusions on which to base the engagement results 2. Evaluate the sufficiency of evidence obtained to support conclusions and achieve engagement objects
What are broken into 3 Standards groups for IS Auditing
1. General 2. Performance 3. Reporting
Information Technology Assurance Framework (ITAF) is made up of 5 parts: 1. 2. 3. 4. 5.
1. General Standards 2. Performance 3. Reporting 4 Guidelines 5. Tools and Techniques
Business risk may negatively impact the assess, processes or objectives of a specific business or organization. IS auditors focus on... 1. High... 2. Availability or integrity of.... 3. Underlying...
1. High risk issues associated with confidentiality, 2. Availability or integrity of sensitive/critical information, 3. Underlying information systems and processes that generate, store, and manipulate such information
How would one audit for compliance with laws and regulations? (5 things) 1. Identify... 2. Document... 3. Access... 4. Review... 5. Determine..
1. Identify those government or other relevant external requirements dealing with: electronic data, personal data, copy rights, e-commerce, e-signatures, computer system practices and controls, the way computers, programs, and data are stored, organization or activities of IT services, IT audits 2. Document applicable laws and regulations 3. Access whether the management of the organization and the IS function have considered the relevant external requirements in making plans and setting policies, standards and procedures, as well as business application features 4. Review internal IS department/function/activity documents that address adherence to establish procedures that address these requirements 5. determine if there are procedures in place to ensure contracts or agreements with external IT service providers reflect any legal requirements related to responsibilities
In order to ID risks types and the controls used to mitigate the risks, IS auditors need to know: 1. 2. 3.
1. Knowledge of common business risks, 2. Related technology risks and relevant controls 3. must be able evaluate the risk assessment and management techniques used by business managers
Areas that would impact audit scope and audit objectives?
1. Legal requirements (laws, regulatory and contractual agreements) placed on audit or IS audit 2. Legal requirements placed on the auditee and it's systems, data management, reporting, etc. (this is most important to internal and external auditors)
"Engagement Planning" is used to address: 1. 2. 3. 4. 5.
1. Objective (s), Scope, Timeline and deliverables 2. Compliance with applicable laws and professional auditing standards 3. Use of a risk-based approach, where appropriate 4. engagement specific issues 5. Documentation and reporting requirements
The Performance Standard of "Planning and Supervision" should address 1. Objective... 2. Criteria.. 3. Level of.. 4. Nature... 5. Possible... 6. Availability 7. Preliminary 8. Resource 9. Nature 10. Conditions 11. Anticipation 12. Nature
1. Objective of the assignment 2. Criteria to be used in the assignment 3. Level of assurance required 4. Nature of the subject matter 5. Possible sources of information and evidence 6. Availability of resources 7. Preliminary consultations on risks 8. Resource and expertise requirements 9. Natures, extent and timing of various 10. Conditions that may require extension of modification 11. anticipation of time requirements 12. Nature of the
Materiality: The IS audit and assurance professional shall consider 1.
1. Potential weaknesses or absences of control while planning an engagement, and whether such weaknesses or absences of the controls could result 2. Materiality and its relationship to audit risk while determiningthe nature, timing, and extent of audit procedures 3. Cumulatibe effect of minor control deficiencies or weaknesses and whether the absence of controls translates into a significant deficiency or material weakness
Proficiency: The IS audit and assurance professional, collectively with other assisting with the assignment, shall possess... 1. 2. 3.
1. adequate skills and proficiency in conducting IS audit and assurance engagements and be professionally competent to perform the work required 2. adequate knowledge of the subject matter 3. Maintain professional competence through appropriate continuing professional education and training
Risk Assessment in Planning: The IS audit and Assurance function shall use.. 1. Appropriate.. 2. Identify... 3. Consider...
1. appropriate risk assessment approach and supporting methodology to develop the overall IS audit plan and determine priorities for the effective allocation of IS audit resources 2. identify and assess risk relevant to the area under review, when planning individual engagements 3. consider subject matter risk, audit risk, and related exposure to the enterprise
The IS auditor must have an understanding of the overall environment under review.. that includes 1. 2.
1. business practices and functions relating to the audit subject 2. types of information systems and technology supporting the activity
3 Steps that are dependent upon having a thorough understanding of the business's objectives and purpose?
1. defining audit deliverables 2. finalize the audit scope and audit objectives 3. develop the audit approach or audit strategy
"reporting".. the IS audit and assurance professional shall provide a report to communicate the following: 1. 2. 3. 4. 5. any findings should be supported by the sufficient and appropriate evidence
1. identification of the enterprise, the intended recipients and any restrictions on content and circulation 2. the scope, engagement objectives, period of coverage, and nature, timing and extent of the work performed 3. findings, conclusions, and recommendations 4. qualifications or limitations in scope with respect to the engagement 5. Signature, date, and distribution according to the terms of the audit charter or engagement letter
Engagement Project Plan should describe the: 1. ____, _____, ______ 2. Timing and _____
1. nature, objectives, timeline and resource requirements 2. timing and extent of audit procedures to complete the engagement
How does reasonable expectation apply to an IS audit professional? 1. 2. 3.
1. professional shall have reasonable expectation that the engagement can be completed in compliance with standards and other professional or industry standards or regulations and result in a professional opinion or conclusion 2. professional shall have reasonable expectation that the scope of the engagement enables conclusion on the subject matter and addresses any restrictions 3. professional shall have reasonable expectation that management understands its obligations and responsibilities with respect to the provision of appropriate, relevant and timely information required to perform the engagement
An IS auditor should have a clear understand of what 4 concepts when analyzing business risks..
1. purpose and nature of the business and the environment it operates in 2. dependence of technology to process and deliver information 3. risk of using IT and how it impacts the achievement of the business goals and objectives 4. overview of business processes and the impact of IT and risks on the business process objectives
The IS audit and assurance professional shall... 1. Select criteria.... 2. Consider the source..
1. select criteria, against which the subject matter will be assessed, that are objectives, complete, relevant, measurable, understandable, widely recognized, authoritative and understood by, or available to, all readers and users of the IS audit or assurance report 2. consider the source of the criteria and focus on those issued by relevant authoritative bodies before accepting lesser - knows criteria
The Performance Standard of "representation" would include matters that include: 1. 2. 3. 4. 5. 6. 7. 8. 9.
1. statement acknowledging responsibility for subject matter and assertions 2. statement by acknowledging responsibility for the criteria 3. statement acknowledging the criteria are appropriate for the purposes 4. list of assertions about the subject matter based on the criteria selection 5. statement that all known matters contradict assertions that have been disclosed 6. statement that all communications from regulators affecting the subject matter or the assertions have been disclosed 7. statement that professionals have been provided access to all relevant information and recons to the subject matter 8. list of events that have occurred in subsequent to the date of the audit report 9. other matters that the IS audit and assurance professional may deem relevant or appropriate
The IS auditor should develop an audit plan that takes into consideration the what 2 things:
1. the objectives of the auditee relevant to the audit area and its technology infrastructure. 2. the area under review and its relationship to the organization (strategically, financially, and/or operationally)
What is a management control?
A management control modifies processing systems to minimize a repeat occurrence of the problem. i.e. back up takes don't modify processing systems and do not fit the definition of a management control
What is a preventative control?
A preventive controls are those that avert problems before they arise
"Reporting Standards" of the ITAF Framework is..
Address the types of reports, means of communication and the information communicated
What should one look into when your analyzing short term and long term issues: (4 things) How often should you assess issues?
Annually, you should at least look into... 1. Take into account new control issues 2. Changes in the risk environment 3. Technologies and business processes 4. enhanced evaluation techniques During the annual planning, it should be updated if any key aspects of the risk environment have changed (acquisitions, new regulatory issues, market conditions)
While developing a risk-based audit program, what would an IS auditor most likely focus on? a. business processes b. critical IT application c. operational controls d. business strategies
Business Processes A risk - based audit approach focuses on the understanding of the nature of the business and being able to identify and categorize risk. Business risks impact the long-term viability of a specific business. An IS auditor using a risk-based audit approach must be able to understand business processes
"Performance Standards" of the ITAF Framework is...
Conduct of the specific assignment like planning and supervision, scoping, risk and materiality, resource mobilization, supervision and assignment management, evidence, and exercising of professional judgment and due care
What is control risk?
Control risk is the risk that a material error exists that will not be prevented or detected in a timely manner by the system of internal controls.
Back up tapes are used to restore the files in case of disruption. This is a ____ control
Corrective - a corrective control helps to correct or minimize the impact of a problem
Index of Audit and Assurance guidelines for an audit chart is to assist the IS auditor to prepare an audit chart to define the ____, ______, and ______ of the IS Function. The IS auditor should consider it in determining how to achieve _____of the above standard, use _________ in its application and be prepared to justify any departure.
Define the responsibility, authority, and accountability Determining how to active implementation of the above standard, use professional judgment in its application and be prepared to justify any departure.
What is detection risks?
Detection risk is the risk that a material misstatement with a management assertion will not be detected by the auditor substantive tests.
What is a detective control?
Detective controls help to detect and report problems as they occur - back up tapes do not aid in detecting errors - so its not a detective control
Which of the following is MOST effective for implementing a control self - assessment (CSA) within business unites? a. informal peer reviews b. facilitate workshops c. process flow narratives d. data follow diagrams
Facilitate workshops - they work will within business units. Process flow narratives and data flow diagrams wouldn't be as effective since they would not necessarily identify and assess all control issues. Informal peer reviews similarly would be less effective for the same reason.
"Guidelines" of the ITAF focus on.... ____, ______, ____ and _____, and related material to assist in planning, executing, assessing, testing, and reporting on IT processes, controls and related audit initiatives.
Guidelines focus on approaches, mythologies, tools and techniques, and related material to assist in planning, executing, assessing, testing, and reporting on IT processes, controls and related audit initiatives.
What conditions does the Basel Committee on Banking Supervision show improvement in if you follow their conditions and requirements
Improvement in: Credit Risk, Operational Risk Market Risk
What types of audit risks assumes an absence of compensating controls in the area being reviewed? a. control risk b. detection risk c. inherent risk d. sampling risk
Inherent Risk. The risk level or exposure without taking into account the actions that management has taken or might take in inherent risk.
In performing a risk-based audit, what is the risk assessment that is completed initially by the IS auditor?
Inherent risk - it exists independently of an audit and can occur because of the nature of the business. To perform the audit the IS auditor needs to understand the business process, and by understanding the business process, the IS auditor better understands the inherent risks.
Knowledge Statement 7: Knowledge of evidence collection techniques (observation, inquiry, inspections) used to gather, protect and preserve audit evidence....what are the key concepts and explanation
Key Concepts: Application and relative value of computer - assisted audit techniques, techniques for obtaining evidence, computer-assisted audit techniques, factors to consider in collection, protestation and chain of custody of audit evidence in an IS audit, specialized considerations in audit document for evidence, continues auditing techniques Explanation: findings must be supported by objective evidence. Care should be taken for any evidence that is preserved as a hard copy. Retention policies for electronic evidence be sufficient to preserve evidence that supports the findings. conclusions should be supported by reliable and relevant evidence. Evidence collected follows a life cycle included collection, analysis, and preservation and destruction of evidence. Audit evidence should include information regarding date of creation and original source. continuous auditing measures by an automated reporting process that enables management to be aware of emerging risks or control weaknesses without the need for a regular audit
Knowledge Statement 1: Knowledge of the ISACA IT audit and assurance standards, guidelines, and tools and techniques; Code of professional ethics; and other applicable standards... what are the key concepts and explanation
Key Concepts: Code of Professional ethics and IS audit and assurance standards, guidelines, and tools and techniques explanation: these standards and rules are issued to provide a framework of minimum and essential references regarding how an IS audit should perform work and act in a professional manner
Knowledge Statement 10: Knowledge of audit quality assurance systems and frameworks.. what are the key concepts and explanations
Key Concepts: Impact of IS environment on IS auditing practices and techniqures, points of relevance while using services of other auditors and experts, audit quality evaluation, advantages and disadvantages of CSA, the role of the auditor in CSA, relevance of different technologies drives for CSA in the current business environment, relevance of different approaches in CSA in given context, applying communication techniques to facilitation roles in control self-assessments, audit quality evaluation Explanation: IS is a branch of IS auditing. Auditing standards are the minimum parameters that should be taking. CSA (Control Self Assessment) is a process in which an IS audit can act in the role of facilitator to the business process owners to help them define and assess appropriate controls. results must be interpreting with a certain level of skepticism because process owners are not always objective when assessing their own activates
Knowledge Statement 9: Knowledge of reporting and communication techniques (Facilitation, negotiation, conflict resolution, audit report structure)....what are the key concepts and explanation
Key Concepts: Understanding reporting standards, applying various communication techniques to the reporting of audit results, applying communication techniques to facilitation roles in control self - assessments Explanation: Communication and negation skills are required throughout the audit activity, successful resolution of audit findings with auditees is essential so that auditees will adopt the recommendations in the report and initiate prompt corrective action
Knowledge Statement 2: Knowledge of risk assessment concepts, tools and techniques in an audit context.. what are the key concepts and explanation
Key Concepts: impact of risks assessment on IS auditing, understanding risks analysis concepts within an auditing context, applying risk analysis techniques during audit planning explanation: overall, the audit plan should be based on business risks related to the use of IT and the IS audit should be aware of the need to focus on this risk. The auditing should be able to put into the practice the risk techniques needed to identify and prioritize business risks within audit scope. The IS auditor must takes steps to minimize associated elements such as sampling risk, detection risks, materially of findings
Knowledge Statement 6: Knowledge of applicable laws and regulations that affect the scope, evidence collection and preservation, and frequency of audits....what are the key concepts and explanation
Key concepts: Factors to consider in collection, protection and chain of custody of audit evidence in an IS audit, special considerations in audit documentation for evidence Explanation: laws and regulations often determine scope, frequency, and types of audits, and how reporting requirements are affected
Knowledge Statement 4: Knowledge of audit planning and audit project management techinques, including follow up.. what are the key concepts and explanation
Key concepts: application of audit planning techniques, and impact of IS environment on IS auditing practices and techniques explanation: audit planning request a similar level of preplanning to ensure an appropriate and efficient use of audit resources.. auditors need to understand the planning and management techniques to properly management the audit and avoid an inefficient utilization of resources
Knowledge Statement 3: Knowledge of control objectives and controls related to Information systems.. what are the key concepts and explanation
Key concepts: proper auditing planning techniques, understanding control objectives Explanation: understanding control objectives and identifying the key controls that help achieve a properly controlled environment are essential for the effectiveness and efficiency of the IS audit process.
Knowledge Statement 8: Knowledge of different sampling methodologies...what are the key concepts and explanation
Key concepts: relative use of compliance and substantive testing, basic approaches to sampling their relation to testing approaches Explanation: compliance testing is evidence gathering for the purpose of testing an enterprises compliance with control procedures, this differences from substantive testing in which evidence id gathers to evaluate the integrity of individuals transactions, data or other information. There's a correlation with the level of internal controls and the amount of substantive testing required. Sampling is preformed when the time and cost of considerations preclude a total verification of all transactions or events in a predefined population
Knowledge Statement 5: Knowledge of Fundamental business processes (purchasing, payroll, accounts payable, accounts receivable) including relevant IT...what are the key concepts and explanation
Key concepts: understanding risk analysis concepts within an auditing context, understanding control objectives Explanation: one must understanding the external and internal factors affecting the entity, the entities selection and application of policies and procedures. One must also obtain an understanding of some key components such as the entities strategic management, business model, and corporate governance processes and the kinds of transactions the entity engages in and with whom it transact.
10 Knowledge Statements within the domain covering the process of auditing information systems
Knowledge of... 1. ISACA IT Audit and Assurance standards, guidelines, and tools and techniques; code of professional ethics; and other applicable standards 2. risk assessment concepts, tools and techniques in an audit context 3. control objects and controls related to information systems 4. audit planning and audit project management techniques, including follow up 5. fundamental business processes (purchasing, payrolls, accounts payable, accounts receivable) including relevant IT 6. applicable laws and regulations that affect the sopce, evidence collection and preservation, and frequency of audits 7. evidence collection techniques (observation, inquiry, inspectation) 8. different sampling methodologies 9. reporting and communication techniques (faciliatation, negotiation, conflict resolution,) 10. Audit quality assurance systems and frameworks
what is an audit universe?
List of all the processes that may be consider for the audit. The processes may be subject to qualitative or quantitative risk assessment by evaluating the risk to defined, relevant risk factors
What are non-sampling risks?
Non-sampling risks is the detection risk not related to sampling; it can be due to a variety of reasons, including, but not limited to, human error.
What is the difference between objective criteria and subjective criteria?
Objective is a statement that is completely unbiased. It is not touched by the speaker's previous experiences or tastes. It is verifiable by looking up facts or performing mathematical calculations. Subjective is a statement that has been colored by the character of the speaker or writer. It often has a basis in reality, but reflects the perspective through with the speaker views reality. It cannot be verified using concrete facts and figures
"Tools and Techniques" of the ITAF Framework is... They are directly linked to...
Provide specific information on methodologies, tools and templates - and provide direction in their application and use to operationalize the information provided in the guidance Tools and Techniques are directly linked to specific guidelines (I.E. - ISACA publication on SAP - which supports the guideline on enterprise resource planning (ERP) system.
An IS auditor performing a review of an application's controls finds a weakness in system software that could materially impact the application. The IS auditor should:
Review the system software controls as relevant and recommend a detailed system software review. The IS auditor is not expected to ignore control weakness just because they are outside the scope of a current review. Further, the conduct of a detailed systems software review may hamper the audits schedule and the IS auditor may not be technically competent to do such a review at this time. If there are control weaknesses that they have discovered by the IS auditor, they should be disclosed. By issues a disclaimer, this responsibility would be waived. The appropriate option would be to review the systems software as relevant to the review and recommend a detailed system software review for which additional resources may be recommended
The approach an IS auditor should use to plan IS audit coverage should be based on...
Risk - Planning establishes standards and provides guidance on planning an audit. It requires a risk-based approach
What are risk factors and how are they evaluated?
Risk factors are factors that influence the frequency and or business impact of risk scenarios. The evaluation of risks should ideally be based on inputs from the business process owners and should be based on objective criteria.
What is sampling risks?
Sampling risk is the risk that incorrect assumptions are made about the characteristics of a population from which a sample is taken.
Short-term vs. Long-term
Short term planning takes into account audit issues that will be covered during the year Long-term planning relates to audit plans that will take into account risk-related issues regarding changes in the organizations IT strategic director that will affective the organization's IT environment
Standards: Guidelines: Tools and Techniques:
Standards are defined ad are to be followed by the IS auditor Guidelines provide assistance on how the auditor can implement standards Tools and techniques are not intended to provide exhaustive guidance to the auditor when performing an audit; its example steps the auditor may follow in specific audit assignments to implement the standards
What are substantive tests?
Substantive Tests are made up of two components: sampling risk and non-sampling risks. Non-sampling risks is the detection risk not related to sampling; it can be due to a variety of reasons, including, but not limited to, human error. Sampling risk is the risk that incorrect assumptions are made about the characteristics of a population from which a sample is taken.
What is the Basel Accords (I, II and III) and what will companies see improvement in?
The Basel Accords regulate the minimum amount of capital for financial organzations based on thelevel of risk they face. It recommends conditional and capital requirements that manage risk exposure. These conditions will result in improvement in: Credit
What is Organizational Independence and how is that applied to IS audit and Assurance function?
The IS audit and assurance function shall be independent of the area or activity being reviewed to permit objective completion of the audit and assurance engagement.
The IS audit and assurance professional shall review the _____ against which the subject matter will be assessed to ________ are capable of being audited and that the assertions are sufficient, valid and relevant.
The IS audit and assurance professional shall review the assertions against which the subject matter will be assessed to determine that such assertions are capable of being audited and that the assertions are sufficient, valid and relevant.
What is the Sarbanes - Oxley Act of 2002 required companies to do?
The Sarbanes - Oxley Act of 2002 now requires an evaluation of an organizations internal controls now provides for new corporate governance rules, regulations and standards for specific public companies included the SEC (Securities and Exchange Commission) registrants. Requires organizations to select and implement a suitable internal control framework (COSO) is most commonly adopted framework by public companies seeking to comply
What is the overall authority to perform an IS audit?
The approved audit charter
What is the approved audit charter?
The approved audit charter outlines the auditor's responsibility, authority and accountability, objectives for, and delegation of authority to, the IS audit function. This document should outline overall authority, scope and responsibilities of the audit function.
Difference between the audit charter and an engagement letter?
The audit charter is an overarching document that covers the entire scope of audit activities in an entity while an engagement letter is more focused on a particular audit exercise that is sound to be initiated in an organization with a specific objective in mind
The _____ reflects the mandate of top management to the audit function and resides at a ______ level.
The audit charter reflects the mandates of top management to the audit function and resides at a more abstract level.
What is comprised of the Audit Charter? 1. 2.
The audit charter will indicate the purpose, responsibility, authority, and accountability of the audit function. The IS audit and assurance function shall have the audit charter agreed upon and approved at an appropriate level within the enterprise
Definition of risk used within the information security business world..
The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization
Which is the most important reason why an audit planning process should be reviewed at periodic intervals? a. to plan for deployment of available audit resources b. to consider changes to the risk environment c. to provide inputs for documentation of the audit charter d. to identify the applicable IS audit standards
To consider changes to the risk environment Short term and long term issues that drive audit planning can be impacted by the changes in the risk environment, technologies and business processes of the enterprise. Planning for deployment of available audit resources in determined by the audit assignments planned, which is influence by the planning process.
The General Standard of "Independence and Objectivity" means the professional must conduct the assignment with...
an impartial and unbiased frame of mind in addressing the issues and reaching conclusions. The professional must appear independent at all times
Index of Audit and Assurance has "follow up activities" that are used as a guideline to provide direction to auditors to... _________ in following up on ______ and audit comments made in reports
engaged recommendations
The General Standard of "Due Professional care" means..
exercising due care in planning, performing and reporting on the results of the assignment
What is the first step in planning an audit:
gain an understanding of the business's mission, objectives and purpose, which in turn identifies the relevant policies, standards, guidelines, procedures, and organization structure.
Risk Analysis is part of audit planning and helps...
identify risks and vulnerabilities so the IS auditor can determine the controls needed to mitigate those risks
"Guidelines" of the ITAF Framework is.. "guidelines help clarify what...
information and direction of the audit area. Guidelines also help clarify the relationship between enterprise activities and initiatives and those undertaken by IT
Index of Audit and Assurance guidelines for considerations for irregularities and illegal acts is to provide guidance to IS auditors to deal with ______ or ______ they may come across during the performance of audit assignments. This act elaborates on ____ and _____ by IS auditors for _______ and illegal acts. The IS auditor should consider it in determined how to achieve implementation of the previously identified standards, use professional judgment in its application and be prepared to justify any departure
irregular or illegal activities requirements and considerations irregularities
The General Standard of "Management's Acknowledgement" means that...
management understands his or her obligations and responsibility with respect to the provision of information that may be required in performance the assignment and responsibility to ensure the cooperation of personnel during the audit or assurance activity
The follow-up activities that an audit and assurance professional shall..
monitor information to conclude whether management has planned/taken appropriate, timely action to address reported audit findings and recommendations
Applicability of IS audit standards, guidelines and procedures is universal to any audit engagement and is _________ by short and long term issues
not influenced by short term and long term issues
What is Due Professional care?
observing of applicable professional audit standards, in planning, performing and reporting on the results of engagements
"General Standard" of the ITAF Framework is...
principles in which they operate. They apply conduct to all assignments and deal with ethics, independence, objectivity and due care as well as knowledge, competency and skill
The General Standard of "Training and Proficiency" means..
professionals should have the right skills and proficiency in conducting IS audit and assurance assignments to enable the processionals to perform the work required
The Performance Standard of "obtaining sufficient evidence" should...
provide a reasonable basis for the conclusions drawn and expressed in the audit report, should be obtained through inspection, observation, enquiry, confirmation, re-performance analysis and discussion, and the source of the evidence is considered when assessing the audit procedure
The Performance Standard of "assignment performance" is...
scheduled with staff that are using their knowledge or skills, must address the objectives and mandate the audit
Governmental and external requires related to computer system practices and controls and to the manner in which, 1. Computer, programs and data are ________ as well as 2. the way data is ___________
stored and used processed, transmitted and stored
The General Standard of "Suitable Criteria" means..
subject matter should be evaluated to criteria of: 1. Objectivity - free of bias 2. Measurability - consistent measurement 3. Understandability - communicated clearly and not subject to different interpretations 4. Completeness - complete so all criteria that could affect the audit conclusions about the subject matter are identified and used in conduct of the assignment 5. Relevance - criteria should be relevant to the subject matter and contribute to findings and conclusions that meet the objectives of the IS assurance assignment
The General Standard of "Reasonable Expectation" means that...
the assurance assignment can be completed in accordance with the IS assurance standards, and result in a professional opinion
What is professional independence for the IS audit and assurance professional?
the professional shall be independent and object in both attitude and appearance in all matters related to audit and assurance engagements
The General Standard the "Knowledge of the Subject Matter" means...
the professional should have adequate knowledge of the subject matter
IT risk is business risk associated with the... ____, ____, ____, ____, _____, and _____ of IT within an enterprise.
use, ownership, operations, involvement, influence and adoption IT risk consists of IT related events that could potentially impact the business.